I am using 5.0.7-0 Zeek-Lts. I obtained the ID and mime_type from the log files and saved them in json format as “.log”. In another .zeek file where the files are extracted, I edited the name format of the extracted files. I want to add the file extension to the output file (e.g. extracted_file.pdf). When I use function on_add(f:fa_file, Files::AnalyzerArgs) or file_sniff I don’t get the correct extension. How could I solve that problem and get the right mime_type?
When I got the meta$mime_type and parsed it then added to the end of the extracted file name, wrong extension was appeared. For instance, in the log file (comparing with the ID of the file to check same file) the mime type was jpeg and the extract file was also image but in the name of the file had html -extract_ID_html- should be extract_ID_jpeg. So I need the exact mime type of the file. Also I tried to take log file using global value. But it did not correspond right type. It seems to be same as the extracted file name.
As for why I’m doing this, -e.g.- when the pdf file is extracted, it gives an error when I want to open it. The extensions should be written at the end of the files as “.pdf” so that I do not change the name of each file repeatedly.
Hello @SFD - I’m afraid you need to provide example snippets or output and what you’re instead expecting.
May have suggested that before, but have you looked into the hosom/file-extraction package - or installed it via zkg and see if that provides the wanted behavior? It contains a table mapping some known mime-types to file extensions and I wonder if this i how thes what you need?
